Problem with Keystone and Active Directory

asked 2014-12-14 05:44:23 -0500

mathias gravatar image

I started integrating Keystone into Active Directory and experienced some problems. First, the relevant parts of my keystone.conf:

[assignment]
driver=keystone.assignment.backends.sql.Assignment

[identity]
default_domain_id=default
driver=keystone.identity.backends.ldap.Identity

[ldap]
url=ldap://10.0.0.2
user=cn=ldap bind,cn=Users,dc=customer,dc=invalid
password=OpenStack123
suffix=cn=customer,cn=invalid
use_dumb_member=true
dumb_member=cn=ldap bind,cn=Users,dc=customer,dc=invalid
user_tree_dn=cn=Users,dc=customer,dc=invalid
user_filter=(memberof=CN=OpenStack-Users,OU=OpenStack,DC=customer,DC=invalid)
user_objectclass=person
user_id_attribute=cn
user_name_attribute=sAMAccountName
user_mail_attribute=mail
user_pass_attribute=
user_enabled_attribute=userAccountControl
user_enabled_mask=2
user_enabled_default=512
user_attribute_ignore=password,tenant_id,tenants
user_allow_create=False
user_allow_update=False
user_allow_delete=False

So, you can see that I want users to be stored in AD while Roles and Tenants should remain in Keystone's SQL database. Here is what works:

root@identity01:~# keystone user-list
+---------------+---------------+---------+-------+
|       id      |      name     | enabled | email |
+---------------+---------------+---------+-------+
|     De mo     | OpenStackDemo |   True  |       |
|     glance    |     glance    |   True  |       |
| Mathias Ewald | mathias.ewald |   True  |       |
+---------------+---------------+---------+-------+
root@identity01:~# keystone tenant-list
+----------------------------------+---------+---------+
|                id                |   name  | enabled |
+----------------------------------+---------+---------+
| 7b8ce6b850174fd1a94e2c4769017342 |  admin  |   True  |
| c904a3ec713e4949b67684a8a6f9dd94 |   demo  |   True  |
| 7c90d3c07a25400da11414c528cf6921 | service |   True  |
+----------------------------------+---------+---------+
root@identity01:~# keystone user-role-add --user mathias.ewald --tenant admin --role admin
root@identity01:~#

Now, I wanted to double check what just happend:

root@identity01:~# keystone user-role-list --user mathias.ewald --tenant admin
An unexpected error prevented the server from fulfilling your request: {'info': '000020D6: SvcErr: DSID-031007DB, problem 5012 (DIR_ERROR), data 0\n', 'desc': 'Operations error'} (Disable debug mode to suppress these details.) (HTTP 500)
root@identity01:~#

I prepared a PasteBin with the debugging output in keystone-all.log: http://pastebin.com/L5Ywnfsh

Any ideas what is going on?

edit retag flag offensive close merge delete

Comments

In line 42 of the pastebin, we can see that the last ldap search performed is to find the groupOfNames objects the user is member of. I can tell the query works: I just check with ldapsearch: http://pastebin.com/vpRNqtkL

mathias gravatar imagemathias ( 2014-12-14 10:06:21 -0500 )edit